Re: [edk2-devel] [RFC PATCH 0/7] OVMF: Disable the TPM2 platform hierarchy

[Marvin Häuser]

Hey Jiewen,
Hey Stefan,

On 07.08.21 08:00, Yao, Jiewen wrote:
Hi Stefan
It seems this patch series is not a production fix. It is more like a 
prototype, my personally feeling.
A common issue in patch 2, 3, 4, 5, is that using "comment" to remove the code. 
Please remove the unnecessary code directly without // or /**/ in C, and # in INF.

For patch 1, if you want to move the code to SecurityPkg, that is fine. Please 
move the whole driver their and you should not remove and code by comment. 
Please fix the issue to make it pass build, instead of commenting the code like 
work-around.
Otherwise, you may copy the module to OvmfPkg. Then you can modify it as you 
need.

Maybe there should be stricter policies about what code goes where, and 
duplication should be outright banned? My PE/COFF loader proposal merged 
at least 4 copies of the Authenticode hashing and 3 copies of a record 
construction algorithm together. There have been other code 
centralisations, such as certificate iteration. If code exists twice, it 
needs to me maintained twice, and in reality this does not happen.

Regarding what goes where, e.g. FatPkg is in edk2, but the new EXT4 
driver was recommended to be located in edk2-platforms. I know there are 
a bunch of TPM-related things (e.g. Image measuring) in SecurityPkg, and 
as someone with no expertise around TPM or the edk2-platforms design, I 
would never even have thought to look in edk2-platforms for such code. 
And especially for library code edk2-platforms seems to be an 
unfortunate location, as edk2 packages can never depend on them.

Please also merge 2, 3, 4 into 1. I don’t think we want a broken patch in 1, 
then add fix in 2, 3, 4.

I think for this initial inspection this was actually a good thing. The 
separation and the patches after 1 signal to me that there have been no 
functional changes to the library at all. Probably the best idea is to 
just move it to SecurityPkg entirely, including the PCDs, and update 
MinPlatformPkg to consume it from there instead?

Best regards,
Marvin


Thank you
Yao Jiewen

-----Original Message-----
From: Stefan Berger <stef...@linux.vnet.ibm.com>
Sent: Friday, August 6, 2021 11:33 PM
To: devel@edk2.groups.io; Yao, Jiewen <jiewen....@intel.com>
Cc: marcandre.lur...@redhat.com; ler...@redhat.com;
dick_wilk...@phoenix.com; Stefan Berger <stef...@linux.vnet.ibm.com>
Subject: [RFC PATCH 0/7] OVMF: Disable the TPM2 platform hierarchy

This series imports code from the edk2-platforms project related to
changing the password of the TPM2 platform hierarchy and uses it to
disable the TPM2 platform hierarchy in OVMF. It addresses the OVMF
aspects of the following bugs:

https://bugzilla.tianocore.org/show_bug.cgi?id=3510
https://bugzilla.tianocore.org/show_bug.cgi?id=3499

There's no doubt that my struggles with the build system and handling
of dependencies are visible in this series. Quite a few aspects of
getting things right are more or less guesswork and I am often not sure
what the correct way of doing things are. If 'you' wanted to fix
things up and repost it, please go ahead...

Stefan

Stefan Berger (7):
   SecurityPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from
     edk2-platforms
   SecruityPkg/TPM: Disable dependency on MinPlatformPkg
   SecurityPkg/TPM: Disable PcdGetBool (PcdRandomizePlatformHierarchy)
   SecurityPkg/TPM: Disable a Pcd
   SecurityPkg/TPM: Add a NULL implementation of
     PeiDxeTpmPlatformHierarchyLib
   OVMF: Reference new classes in the build system for compilation
   OVMF: Disable the TPM2 platform hierarchy

  OvmfPkg/AmdSev/AmdSevX64.dsc                  |   3 +
  .../PlatformBootManagerLib/BdsPlatform.c      |   6 +
  .../PlatformBootManagerLib.inf                |   1 +
  .../PlatformBootManagerLibBhyve/BdsPlatform.c |   6 +
  .../PlatformBootManagerLibGrub/BdsPlatform.c  |   6 +
  OvmfPkg/OvmfPkgIa32.dsc                       |   3 +
  OvmfPkg/OvmfPkgIa32X64.dsc                    |   3 +
  OvmfPkg/OvmfPkgX64.dsc                        |   3 +
  .../Include/Library/TpmPlatformHierarchyLib.h |  27 ++
  .../PeiDxeTpmPlatformHierarchyLib.c           | 266 ++++++++++++++++++
  .../PeiDxeTpmPlatformHierarchyLib.inf         |  46 +++
  .../PeiDxeTpmPlatformHierarchyLib.c           |  23 ++
  .../PeiDxeTpmPlatformHierarchyLib.inf         |  39 +++
  13 files changed, 432 insertions(+)
  create mode 100644 SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h
  create mode 100644
SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierar
chyLib.c
  create mode 100644
SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierar
chyLib.inf
  create mode 100644
SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHi
erarchyLib.c
  create mode 100644
SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHi
erarchyLib.inf

--
2.31.1








-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78844): https://edk2.groups.io/g/devel/message/78844
Mute This Topic: https://groups.io/mt/84712022/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-